SAVE AS PDF

Security Incident Response release notes

Jakarta upgrade information

Application
administration is enabled for Security Incident Response by default.
Before upgrading, verify whether you have added custom tables to Security
Incident Response. If so, and your custom tables rely on global ACLs, you may
need to recreate those global ACLs in the Security Incident Response scope after
the upgrade. If you added custom roles or custom ACLs, retest them after the
upgrade and ensure the assignable by attribute on the
roles is set correctly to allow access to application administration.

After you upgrade, modify any custom integrations that
write or read Security Incident observables to use the Observables table and the new m2m
with Security Incident. The Context field in the m2m table defines
the relationship of the observable to the security incident for Observable
Types, such as IP (Source or Destination) and URL (Referrer).

Activation information

Activate the Security Incident Response plugin
and configure it based on the needs of your organization. This plugin is available as a
separate subscription.

Carbon Black and Unix systems include base-system integrations to get a list of
running processes as part of automated enrichment for a security incident. You can
define whitelists and blacklists to exclude common processes and highlight those
processes known to be commonly associated with threats.

You can correlate between security incidents and shared observables with new related
lists. Related Users and Related Configuration
Items detail users and configuration items from other security incidents
with similar observables.

You can apply tags to security incidents to classify them in generic ways. You can
organize these tags into groups applying a single group member to a security incident.
These tags can restrict user access. By default, the system comes with an
implementation of the NIST Traffic Light Protocol (TLP). It includes roles that can be
used to restrict user access based on the TLP designation.

Changed in this release

Observables associated with a security incident are stored in a table,
which:

Improves support for incidents with many observables

Enables correlation with other security incidents

Provides a way to select and perform local searches using a related list

Observables are in a related list and can be added individually from this list or
using the Add Multiple Observables related link.

Embedded and related lists for security incidents: Several embedded lists have
been changed to related lists in Security Incident. You can select and view different
groupings of related lists on security incident from a set of Related Links.

Label change: Business Criticality has been changed to
Business Impact.

Removed in this release

Security incident fields for observables: Observable fields are deprecated and
replaced with an m2m relationship to the Observables table:

Note: If you have custom
integrations using these fields, they still work, however, they are no longer used by
Security Incident Response. You can
update your integrations with new fields in Security Incident
observables.